After canceling an instance, administrators should be able to irrevocably destroy it. This should delete all data, all backups, all repositories and all file storage. We should document exactly what is deleted and what is retained (e.g., we'll probably retain snapshots of backups for 48 hours or something because it is technically impractical to destroy them, and we should reserve the instance name itself so another one can't be registered in its place).
One concern here is accidental / malicious deletion. Some possible measures:
- Allow administrators to disable this feature (i.e., "this is too much power, remove this button and require an email to support in order to destroy instance data").
- Pass this feature through human review in the first place (i.e., someone on staff checks the request and makes sure the instance isn't still active, the account doesn't look compromised, etc).
- Require all administrators on an account to sign off (kind of fluff, since the attacker can remove them, but it could be something like "all users who were administrators in the last 24 hours need to approve").
- Allow the deletion to be cancelled for 24 hours before it actually happens.
I don't think this feature is hugely important, but I suspect we can have a more straightforward approach here than Facebook's "disable + regret 95% of the time, so destruction has to be super hard" workflow.